“Debunking” GhostNet

If by “debunking” you mean “validating” the GhostNet report you should listen to Paul Ducklin from Sophos discuss GhostNet in this interview. To be fair to Ducklin, I think that his comments are pretty much spot on but the host appears to be confused between our GhostNet report and the “Snooping Dragon” report by the folks at Cambridge.

Ducklin spanks us for relying on VirusTotal which is a point well taken. He also raises the attribution issue but in the context of the sophistication and availability of the tools the attacker used in the GhostNet case. We too raise this issue noting that while the individual tools used by the attackers were technically unsophisticated they were still able to infect and control high value targets in many cases for long period of time.

This report serves as a wake-up call. At the very least, a large percentage of high-value targets compromised by this network demonstrate the relative ease with which a technically unsophisticated approach can quickly be harnessed to create a very effective spynet…These are major disruptive capabilities that the professional information security community, as well as policymakers, need to come to terms with rapidly.

Tibet is the starting point of our story because that is where we (and by we I mean all the hard work of Greg Walton over the years) had samples of socially engineered emails with malicious attachments that were sent to Tibetan-related organizations and individuals. (Maarten Van Horenbeeck has done great work in this area concerning Tibet and the Falun Gong.) Greg also developed the trust relationships that allowed him (and Shishir from the Cambridge team) to travel to Dharmsala and collect network traffic from the OHHDL. Greg also collected samples from Tibetan-related organizations around the world.

Were people at these organizations really becoming infecting as a result of falling for these socially engineered attacks? Was there anything more we could find out about the control servers other than that these pieces of malware connect to IP addresses that are often in China? In many cases we were not able to find out much other than the obvious: a malware infected computer that connects to a control server in China. In fact, in many cases the control servers were identified in the field.

But when analyzing the data collected at the OHHDL back in the Citizen Lab, we were able to identify traffic to a control server in China (in Hainan Province) that was not identified in the field research and were able to find the attackers web-interface on it and several additional control servers. By carefully going through the data we were able to identify two distinct malware infections on the same computer at the OHHDL. While each piece had more than one control server, we were able to identify commonalities that allowed us to group the control servers into two distinct networks.

The infection we focused on issued HTTP GET requests to several PHP files on a server. There were connections to two domain names on the same server IP address. A lookup in APNIC shows that this IP address is assigned to a range belonging to Hainan-TELECOM in Hainan Province in China. One particular request stood out since it contained a parameter that appeared to contain a date while rest of the parameters in the request were encoded with base64. We took that string and put it in Google, and were surprised to see results.

Since it was not secured with a password we were able to click directly on a link from Google which took us straight to the attackers’ web interface. There was no “hacking” involved. I have a healthy fear of prison and stay clearly within the limits of the law.

Now that we knew the file names and paths favoured by the attacker we were able to guess the location of 26 such interfaces including several on the server to which the infected OHHDL computer connected.

It became clear that the attackers’ had a wide interest of targets that extended far beyond the Tibetans. When Ducklin discusses the wide range of malicious documents he’s seen that are similar to the ones used by the attackers we focused on it corroborates information that some of those who have been infected (that are not Tibetan related) are telling us. Non-Tibetan targets receive socially engineered emails that are contextually relevant to them. Many of the most interesting GhostNet victims are embassies, government ministries and international organizations. These are not Tibet specific targets.

GhostNet is *not* Tibet specific.

In our report we devoted a significant portion to alternative explanations and a discussion of the attribution problem. We do *not* say that we can prove that the Chinese government is behind GhostNet. In fact, we raise several plausible scenarios. Moreover, we suggest that this network is probably *not* unique and that there are many more like it out there.

One thing I’ve pointed out and will do so again is that just because tools used by the GhostNet attackers are widely available does not necessarily preclude government involvement. I mean what would that look like any way? A trojan labeled “Developed by the Government of China”? If I wanted to meld into the crowd, if I wanted to leverage the attribution problem, I’d use available tools and common methods. The GhostNet attackers showed that using such less sophisticated methods can be quite successful. Why reinvent the wheel and possibly provide a ‘smoking gun’ that points directly to you? Furthermore, if you could leverage independent actors to do the dirty work for, even better. There’s even less traceabilty.

That is why we stated right in the beginning of the report that “the study clearly raises more questions than it answers.”